Critical UEFI Flaw (CVE-2025-3052) Exposes Systems to Bootkit Attacks
A newly disclosed memory corruption vulnerability in UEFI firmware, tracked as CVE-2025-3052, allows threat actors to bypass Secure Boot and deploy bootkit malware. Discovered by Binarly researchers, the flaw stems from a certificate-signed module that can be exploited by attackers with admin-level OS privileges to manipulate a user-writable NVRAM variable, enabling arbitrary data writes during the UEFI boot process.
Microsoft initially believed the issue affected only a single module but later confirmed 14 vulnerable modules during triage. The company released patches on June 10, 2025, as part of its Patch Tuesday updates, adding 14 new hashes to the dbx (Secure Boot Forbidden Signature Database) to block exploitation.
In a related development, cybersecurity researcher Nikolaj Schlej revealed that Insyde H2O-based UEFI firmware was also impacted by a separate Secure Boot bypass flaw (CVE-2025-4275), dubbed Hydrophobia, which the vendor has since remediated. The discovery underscores ongoing risks in UEFI firmware security, where vulnerabilities can persist across multiple implementations.
Insyde Software TPRM report: https://www.rankiteo.com/company/insyde-software
"id": "ins1768378515",
"linkid": "insyde-software",
"type": "Vulnerability",
"date": "6/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'type': 'Organizations and users with vulnerable UEFI '
'firmware'}],
'attack_vector': 'Memory corruption in UEFI module',
'date_resolved': '2025-06-10',
'description': 'Attacks involving the UEFI certificate-signed module memory '
'corruption flaw, tracked as CVE-2025-3052, could enable the '
'circumvention of Secure Boot and eventual injection of '
'bootkit malware. Threat actors with admin operating system '
"privileges could alter the vulnerable utility's user-writable "
'NVRAM variable to facilitate in-memory writing of arbitrary '
'data during the UEFI boot process. The vulnerability affected '
'14 different modules, and fixes were released by Microsoft on '
'June 10, 2025.',
'impact': {'operational_impact': 'Potential bootkit malware injection',
'systems_affected': 'UEFI firmware, Secure Boot process'},
'post_incident_analysis': {'corrective_actions': 'Patch vulnerable UEFI '
'modules and update dbx with '
'new hashes',
'root_causes': 'Memory corruption flaw in UEFI '
'certificate-signed module '
'(CVE-2025-3052) allowing NVRAM '
'variable manipulation'},
'recommendations': 'Immediately apply the issued fixes for CVE-2025-3052 to '
'prevent Secure Boot bypass and bootkit malware injection.',
'references': [{'source': 'BleepingComputer'},
{'source': 'Binarly researchers'}],
'response': {'containment_measures': "Application of Microsoft's Patch "
'Tuesday fixes (June 10, 2025)',
'remediation_measures': 'Updated dbx with 14 new hashes to block '
'vulnerable modules',
'third_party_assistance': 'Binarly researchers'},
'title': 'UEFI Secure Boot Bypass via CVE-2025-3052 Memory Corruption Flaw',
'type': 'Secure Boot Bypass',
'vulnerability_exploited': 'CVE-2025-3052'}